Cisco DNCS System Release 2.7 3.7 4.2 Designanleitung
3-6
Security Recommendations for the DBDS Network in a DOCSIS Environment
4000358 Rev B
Data Paths and Traffic Flows
Introduction
One of the first steps in network security is to secure the data paths into, out of, and
within your network. There are nine network data paths requiring security
considerations. This section describes the data paths and traffic flows in the DBDS
that must be made secure and provides a diagram that shows the different data
paths and traffic flows. The recommendations that cover each flow are addressed in
DBDS Network Security, next in this chapter.
The following data paths must be made secure on the DBDS:
•
The following data paths must be made secure on the DBDS:
•
Path 1: Registration between integrated cable modems, DHCT CPE, PC CPE,
stand-alone cable modems, and the DOCSIS servers.
•
Path 2: Communication among end-user devices (cable modem, DHCT CPE, PC
CPE) within the same region.
•
Path 3: Communication between the DBDS servers (application servers, DNCS,
VOD servers) and the end-user devices.
•
Path 4: Communication between the cable service provider’s server farm and
Internet service provider registration servers to authenticate and authorize end
users. This path may not exist if the cable service provider is also the Internet
service provider providing HSD service to the end users.
•
Path 5: Communication between end-user devices and the Internet.
•
Path 6: Communication between application servers and the Internet. This
communication exists today, but the physical connectivity depends on the server.
•
Path 7: Communication between any DBDS network element and the Internet.
•
Path 8: Communication between any DBDS network element and the server farm.
•
Path 9: Communication between any DBDS network element and the DMZ
network.
•
Path 10: Communication between end-user devices and the DMZ network.